aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-11-18 21:36:06 +0100
committerMichael Niedermayer <michaelni@gmx.at>2012-11-18 23:02:46 +0100
commit8a03a60b4af46c001d5686b9303f48f6c4ebdf6c (patch)
tree6a5bd2343266c1aae55515fd0dc3366180769bcc
parent27d39c225bb35e25431f562160cf28f3aacdb3c7 (diff)
downloadffmpeg-8a03a60b4af46c001d5686b9303f48f6c4ebdf6c.tar.gz
h264: Check gray scale CBP, fix out of array accesses.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/h264_cabac.c5
-rw-r--r--libavcodec/h264_cavlc.c5
2 files changed, 10 insertions, 0 deletions
diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
index a37094b3f5..76a648143d 100644
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -2266,6 +2266,11 @@ decode_intra_mb:
cbp = decode_cabac_mb_cbp_luma( h );
if(decode_chroma)
cbp |= decode_cabac_mb_cbp_chroma( h ) << 4;
+ } else {
+ if (!decode_chroma && cbp>15) {
+ av_log(s->avctx, AV_LOG_ERROR, "gray chroma\n");
+ return AVERROR_INVALIDDATA;
+ }
}
h->cbp_table[mb_xy] = h->cbp = cbp;
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 6dfe2474cc..cd1130a4bc 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -1070,6 +1070,11 @@ decode_intra_mb:
if(IS_INTRA4x4(mb_type)) cbp= golomb_to_intra4x4_cbp_gray[cbp];
else cbp= golomb_to_inter_cbp_gray[cbp];
}
+ } else {
+ if (!decode_chroma && cbp>15) {
+ av_log(s->avctx, AV_LOG_ERROR, "gray chroma\n");
+ return AVERROR_INVALIDDATA;
+ }
}
if(dct8x8_allowed && (cbp&15) && !IS_INTRA(mb_type)){